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(54) Method and apparatus for securely determining aspects of the history of a good 



(57) The present invention provides methods and 
apparatus to detect and reliably record the physical his- 
Joj^of a product including effects due to one or more of 
the following: 1) product use 2) handling 3) tampering 
and 4) environment of the product (as changes in the 
environment, such as excessive temperature s, humidi- 
ty, or shocks, can result in degradation to a product). 
The apparatus includes a "smart card", or, more gener- 
ally, "smart token", in combination with one or more sen- 
sors which record the external influences on the product 



and/or the environment and records those changes in 
an encrypted form. This information can then be verified 
by any individual who is equipped with a (possibly pub- 
lic) decryption key, but capability to modify this informa- 
tion, depending on the application, is restricted to those 
with access to the encrypting key. Furthermore, the ap- 
paratus contains authentication information ^ which can 
be reliably verified, in particular to confirm that the ap- 
paratus is attached to the product it supposed to be at- 
tached to. 
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Description 

[0001] The present invention generally relates to se- 
curity of consumer goods and, more particularly, to the 
use of smart tags in maintaining product security. 
[0002] There is a need for certain products to be 
equipped with some apparatus which can provide infor- 
mation about the current state of the product as a result 
of events the product was subjected to prior to becoming 
in the possession of a potential consumer. Examples in- 
clude the state of medical or food products prior to their 
being used by a consumer. 

[0003] Also, consumers sometimes have the right 
and/or the need to know whether a product is brand new 
or not. This is especially true of expensive items. There 
is also a need for a product to be equipped by some 
apparatus which can record some aspects of the prod- 
uct history, for example in the case of automobiles 
where today odometers indicate, not very securely, one 
aspect of the history of the automobile. 
[0004] Another context for the invention is the fact 
that, in some cases, the containers of some products 
are reused by the manufacturer, and the consumer 
would like to know if the product in the container is new 
or not, and if the container has been reused by a third, 
unauthorized, party. There is also a need for a method 
to detect whether the product has deteriorated, either 
because of defects, or because its expiration date has 
passed, or because of unwanted change in the environ- 
ment, for instance in the form of excessive cold, heat or 
humidity. These scenarios require an apparatus which 
can detect the physical forces a product was subjected 
toas a result of use, handling, tampering or environmen- 
tal factors. For either human intervention or environ- 
mental factors, it may be important in some circum- 
stances that the recorded history ^of such events be very 
difficult to modify or counterfei t. 
[0005] The prior art contains many methods involving 
seals and enclosures which allow one to detect when a 
package has been tampered with. Such prior art go way 
back in history, and a multitude of improvements, with 
very general or very specific uses, have been proposed 
which benefit from the general progress of technology 
For example, U.S. Patent No. 5,159,629 to Glen R Dou- 
ble and Steve H. Weingart describes an intrusion barrier 
for protecting an electronic assembly from tampering. 
The prior art also contains methods of recording chron- 
ological information such as a data logge r which stores 
information on a product as described in U.S. Patent No. 
5,010,560 to Mark A. Janney, Roger Newey, and Irwin 
J. Robinson. 

[0006] However, these methods do not overcome the 
problem of providing a tamper evident history of a prod- 
uct and/or of its environment. The prior art does not al- 
low the information about the history of a product and/ 
or of its environment to be securely recorded and kept. 
[0007] According to a first aspect, the invention pro- 
vides a method of recording and storing information in 
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an integrated smart tag about at least one of physical, 
chemical and environmental effects on an object, over 
time, comprising the steps of: sensing data regarding a 
state of said object or an environment of said object, 
5 with at least one of a plurality of sensors; and sending 
a signal from said sensor to a storage device embedded 
within the smart tag. 

[0008] According to a second aspect, the invention 
provides a smart tag system comprising: a storage de- 

10 vice; a sensor for sensing data regarding a state of an 
object or an environment of an object; and means for 
sending the sensed data to said storage device. 
[0009] In the following, terms such as "impossible to 
change" or " tamper-pro of" should be understood to de- 

*s scribe situations in whicTi sufficient resistance to tam- 
pering is provided to make successful attacks rare due 
to cost/benefit issues, since codes, etc., can theoretical- 
ly be broken if sufficient resources are brought to bear 
on the attack. 

20 [0010] The invention uses a smart card (also known 
as smart tag), as described in U.S. Patent Nos. 
3,971,916, 4,007,355, 4,092,524, and 4,102,493 to Ro- 
land Moreno, or, more generally, a smart token, in com- 
bination with sensors attached to the product and/or to 

25 the smart card: upon tampering, or as a response to oth- 
er circumstances, the sensors generate signals which 
are preferably encrypted and recorded in the memory 
or storage device of the smart card attached to the prod- 
uct. 

30 [0011] Recall that, for example, by using a zero- 
knowledge protocol, a smart card can be authenticated 
but cannot be duplicated. This technology has been dis- 
closed for instance in U.S. Patent 5,140,634 to Guillou, 
et al. This is the property which characterizes a smart 

35 card. Accordingly, in the rest of the present disclosure, 
any electronic component with these properties and 
which has some memories and/or some processing ca- 
pabilities, will be called "a smart token" or "a smart card", 
even if it does not actually take any form resembling a 

40 card. A general reference to smart card technology and 
applications can be found in Smart Cards: A Guide to 
Building and Managing Smart Card Applications, by 
Henry Dreifus and J. Thomas Monk, John Wiley & Sons, 
1998. 

45 [0012] When the product or its packaging is tampered 
with, some attribute of the product or its environment 
changes. This change is what is detected by (at least 
some of) the sensors attached to a smart card, and the 
smart card will record this change irreversibly by erasing 

50 or writing some information within the smart card mem- 
ory. The smart card also can be made duplication resist- 
ant by using a zero-knowledge protocol so that only the 
manufacturer of the original product, and/or possibly a 
trusted third party, for example, can produce or buy such 

55 smart cards. The smart card also can record the history 
of these changes in its internal memory. 
[0013] The foregoing and other objects, aspects and 
advantages will be better understood from the following 
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detailed description of a preferred embodiment of the 
invention with reference to the drawings, in which: 

Figure 1 A is an isometric diagram showing a smart 
tag attached to a product; 

Figure 1 B is a plan view showing detail of the smart 
tag shown in Figure 1; and 

Figure 2 is a schematic diagram showing the path 
from sensors to production of an electrical signal. 

[001 4] Referring now to the drawings, and more par- 
ticularly to Figure 1 A, there is shown a smart card 101 
attached to a product 106. As shown in Figure 1 B, the 
smart card is powered by a small power source such as 
a battery 102. In addition to the normal components in 
a smart card, such as memory or storage device 103 
and processing unit 104, and encryption module 107, 
the smart card is also connected to a sensor 105 (or 
some number of sensors) which can detect changes in 
the product and/or the environment due to tampering. 
[001 5] The encryption module can use any of the well- 
known (public or private) encryption algorithms such as. 
Rivest, Shamir and^Adleman (RSA) or Data Encrypti on 
Standard (PES), as described for example in Han dbook 
of Applied Cryptography, by Alfred J. Menezes, Paul C. 
van Oorschotand Scott A. Vanstone, CRC Press, 1997. 
A discussion on cryptographic issues related to smart 
cards can be found in the aforementioned book by Drei- 
fus and Monk. The encryption algorithms can be imple- 
mented as software modules on the main processor of 
the smart card, or they can be executed in specialized 
hardware. An example of such specialized hardware 
currently used as a cryptographic accelerator to a per- 
sonal computer is the LunaVPN cryptographic acceler- 
ator manufactured by Chrysalis-ITS, Ontario, Canada. 
[0016] The entire smart card can be protected by a 
tamper proof package 109, such as the one described 
in U.S. Patent No. 5,159,629. The smart card should be 
tamper evident in the sense that any attempt in deter- 
mining and/or changing the data in the smart card would 
result in erasure of this data and/or destruction of some 
element of the smart card. To prevent tampering with 
the smart card itself, the packaging can include a trip 
wire or magnetic circuit forming a closed connection with 
the sensor and any tampering with the product involves 
opening the packaging in such a way as to break this 
connection and trigger an (irreversible) change within 
the smart card. In certain circumstances the tamper 
proof feature and encryption may not be necessary. 
[0017] Other mechanisms can also be used to the 
same ends of preventing modifications and/or duplica- 
tion of the smart card or its data content, examples being 
obtained as easy modification of the invention in U.S. 
Patent No. 5,159,629. 

[0018] The sensor can also be an on-chip pressure 
sensor or a pressure sensor such as the NPP, NPC or 



NPH series pressure sensor manufactured by Lucas 
NovaSensor of Fremont, California, with the product 
packaged under low pressure. Tampering with the prod- 
uct necessitates opening the packaging and allowing 
5 outside air to reach this sensor. This change in pressure 
is recorded by the smart card. For improved protection, 
the package can also contain a pump to randomly vary 
the pressure inside the package. In this case the pres- 
sure sensor measures the pressure, Psensor, inside the 
10 package and compares the sensor reading to the proc- 
essor command, Pcomputer, to the pump. A difference 
signal can be computed as 

Pdifference = Pcomputer - Psensor 

If the Pdifference is greater than a threshold Pthresh, 
then the package is considered to be tampered with. 
[0019] In yet another implementation, the smart card 
has a light sensor such as the photodetector 
MTD3010PM made by Marktech Optoelectronics, 
Latham, New York. The smart card is then packaged so 
as not to be exposed to light. When the product is tam- 
pered with, light wilt reach this sensor and the smart card 
will record this change. One may use an optoelectronic 
sensor which can detect electromagnetic radiation be- 
yond the visual spectrum such as infrared or ultraviolet 
radiation. Whichever part of the spectrum is used, sup- 
plementary sources of radiation can be used, with ran- 
dom levels, as described previously in the case of the 
pressure sensor, to enhance the security. 
[0020] Similarly, a temperature sensor such as the 
TMP03 series sensors manufactured by Analog Devic- 
es, Norwood, Massachusetts, can be used to detect 
changes in temperature, in applications where the tem- 
perature at which a product is shipped has to be main- 
tained in a certain range. 

[0021] In applications such as in motor vehicles where 
the detection of shock is needed, an accelerometer such 
as the Analog Devices ADXL05 or Lucas NovaSensor 
NAC series accelerometer can be used as the sensor 
(or as one of the sensors). 

[0022] In one application of a smart tag vehicle sen- 
sor, the smart card records the output of the ADXL05, 
generates a time stamp and encrypts and stores the re- 
sult into the memory 103 of the smart tag. In addition, 
other sensors, such as the TMP03 t emperature sensor 
.mav also be logged and store d. The vehicle speedom- 
eter readings and odometer readings may be time 
stamped, encrypted also stored in the memory 103. The 
location of the vehicle is often important in indentifying 
the types of weather conditions the vehicle has been 
subjected to, and adding a GPS system whose output 
is securely recorded in memory may also be added. The 
combination of the time history of the shock, tempera- 
ture, speed history, mileage history and geographic lo- 
cation can be used to create a secure vehicle history 
which can be made available to evaluate the condition 
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of the vehicle. 

[0023] An example of such a history is summarized 
below: 

Vehicle History = 
mileage 
50,000 miles 
max shock 
10g 

max temperature 
90 F 

minimum temperature 
50 F 

max speed 
85 mph 

vehicle location 
Florida 90% of miles 
other 10% of miles 

[0024] Depending on the product, the sensor (or the 
combination of sensors) detects mechanical, electro- 
magnetic and thermal properties, and more generally a 
physical and/or chemical property or a combination 
thereof. References for sensors detecting chemical 
properties are found in An Introduction to Electronic 
Nose Technology by J. Gardner, Neotronics Scientific, 
Warwick, 1996. Once a change is detected beyond 
some fixed threshold (or when the data captured by the 
sensors differs enough from a computed random se- 
quence) at 105, it will be irreversibly recorded within the 
smart card 101. Time stamping of the event provides a 
recorded history for the device; secure time stamping 
can be achieved for instance by attaching a clock or tim- 
ing unit to the smart card inside the tamper proof pack- 
age 109. 

[0025] As shown in Figure 2, for instance, using such 
physical properties as piezoelectricity, the sensor 105 
such as a Murata PDGS-00LA-TC accelerometer pro- 
duces a voltage 1 1 3 in response to an external force 
input which results in an acceleration of the sensor. 
When the electronic signal 1 1 3 exceeds some predeter- 
mined threshold 110 a comparator 111 is triggered to 
produce a logic level output to power up the smart card. 
As a consequence, once a shock is detected greater 
than a predetermined threshold, it will be irreversibly re- 
corded as a change within the smart card 101. This 
same concept could be adapted to accommodate ran- 
dom input as an additional means to protect against en- 
tering a package containing a product. 
[0026] The re corded data is encrypted and provides 
a history of ph'ysicaLe vents of the product. A nybody in 
possession of a (possibly public) key can retrieve the 
data which, once processed by proper algorithms, al- 
lows determination of the product state, and allows rec- 
ognition that the smart card is attached to the product 
to which it is supposed to be attached. Such analysis 
can include, but is not limited to, the temperature to 
which the product was subjected, shocks the product 
experienced, the first time the product was powered on, 
etc. 
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[0027] In some cases, if needed, the smart card will 
also keep a record of the history of changes by also re- 
cording the time. In all cases, the change in the product 
or its environment causes the state of the smart card to 
be changed irreversibly. This can be effected by the 
smart card erasing or writing some information in its in- 
ternal memory. 

[0028] Any person wishing to determine whether the 
product is new or not first authenticates the smart card 
using a zero knowledge protocol. He or she then queries 
the smart card for the information on whether the prod- 
uct has been opened or been tampered with. If both the 
authentication is successful and the smart card did not 
record any change in state, then it can be concluded 
that the product has not been tampered with. 
[0029] The smart card can be contactless (by which 
we mean that no physical contact with the card is need- 
ed when performing the authentication or querying) and 
is embedded into the product or its container: In this 
case, the authentication and query is made via some 
remote means. Such technology is currently available. 
For instance, in RFIDS as disclosed in U.S. Patent No. 
5,682,143 to Michael J. Brady, Thomas Cofino, Harley 
K. Heinrich, Glen W. Johnson, Paul A. Moskovitz, and 
George F. Walken. For early references, see, for exam- 
ple, U.S. Patent No. 4,063,229 to John Welsh and Ri- 
chard N. Vaughan, U.S. Patent No. 4,242,663 to Leo 
Slobodin, and U.S. Patent No. 4,646,090 to Daniel D. 
Mawhinney. 

[0030] For certain products, the output of the sensor 
105 is sent to processor 104 which executes a mathe- 
matical algorithm to determine a function of the history 
of the object and/or its environment. For example, milk 
containers temperature and time history can be used to 
determine the probability that the milk is sour according 
to a model, such as shown below: 
where T is the temperature of the milk container, t is 
time, and f is a function which can be determined exper- 
imentally. Th e process can result in a message which 
may or may not be encrypted. For instance, the mes- 
sage may be a visible indicat or to the consu mer. 
[0031] Some products (such as wine, food, chemical 
compounds, or pharmacological products) can deterio- 
rate with no known cause, in which case one cannot use 
only the control of the environment, but some sensor 
has to detect intrinsic chemical and/or physical proper- 
ties of the product. The inventive device could be used 
to record temperature, humidity, pressure, light, vibra- 
tion, shock, electromagnetic field, chemical composi- 
tion, and the opening of the packaging which contain the 
products. 

[0032] If the passing of the expiration date is to be de- 
tected, the smart card is equipped with a clock or timer 
which would record the expiration of the product when 
it occurs. 

[0033] In another embodiment, the inventive device 
may be used for detecting and recording changes in 
consumer electronic products. In addition, to the chang- 
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sending a signal from said sensor to a storage 
device embedded within the smart tag. 

2. A method as in claim 1 further comprising the step 
s of: 

securely recording said signal using encryp- 
tion of said signal in said storage device for later 
retrieval. 

10 3. A method as in claim 1 or 2 further comprising the 
step of recording a time in said storage device for 
each said signal sent to said storage device. 

4. A method as in claim 1 , 2 or 3 wherein said sensors 
is detect changes in one or more states of the of the 
object selected from the group comprising temper- 
ature, humidity, pressure, light, vibration, shock, 
electromagnetic field, and chemical composition. 

20 5. According to any preceding claim, a method further 
comprising the steps of: 

processing said sensed data to compute at 
least one of a plurality of functions of said data; 
25 and 

storing a combination of said data and values 
of said functions in a storage device. 

30 6. A smart tag system comprising: 

a storage device; 

a sensor for sensing data regarding a state of 
35 an object or an environment of an object; and 

means for sending the sensed data to said stor- 
age device. 

40 7. The system of claim 6 further comprising an encryp- 
tion means for encrypting said sensed data which 
is being stored in the storage device. 

8. The system of claim 6 or 7 further comprising a 
45 processing unit which acts upon said sensed data 
from said sensor to determine if said sensed data 
meets a threshold for recording in said storage de- 
vice. 



es described previously, hours of in-use time (power-on 
hours) for product may be recorded. 
[0034] The smart card may be created in an inactive 
state. After the smart card is attached to the product, the 
smart card is activated by sending a command to the 
smart card. This can be done remotely in the case of 
contactless smart cards. Once activated, the smart card 
will start monitoring the product and/or its environment. 
For added security, once activated the smart card can- 
not be deactivated unless it is destroyed. Alternatively, 
deactivation would cause an irreversible change in the 
smart card indicating that the smart card was deactivat- 
ed after activation. 

[0035] In yet another preferred embodiment, the 
smart card could be powered externally, for example by 
an RF (radio-frequency) energy source. The smart card 
has micromachined features on chip which are changed 
(for example, pieces could be broken off) when the prod- 
uct is tampered with. When the user needs to determine 
whether the product is tampered with, an external power 
source is applied to power on the smart card. The au- 
thentication phase is as before. Next, the microma- 
chined features are sensed either by the smart card or 
by the user to determined whether tampering has oc- 
curred. 

[0036] The present invention provides methods and 
apparatus to detect and reliably record the physical his- 
tory of a product including effects due to one or more of 
the following: 1) product use 2) handling 3) tampering 
and 4) environment of the product (as changes in the 
environment, such as excessive temperatures, humidi- 
ty, or shocks, can result in degradation to a product). 
The apparatus includes a "smart card", or, more gener- 
ally, "smart token", in combination with one or more sen- 
sors which record the external influences on the product 
and/or the environment and records those changes in 
an encrypted form. This information can then b e verified. 
by any individual who is equipped with a (possibly pub- 
lic) decryption key, but capability to modify this informa- 
tion, depending on the application, is restricted to those 
with access to the encrypting key. Furthermore, the ap- 
paratus contains authentication information which can 
be reliably verified, in particular to confirm that the ap- 
paratus is attached to the product it supposed to be at- 
tached to. 



Claims 

1 . A method of recording and storing information in an 
integrated smart tag about at least one of physical, 
chemical and environmental effects on an object, 
over time, comprising the steps of: 

sensing data regarding a state of said object or 
an environment of said object, with at least one 
of a plurality of sensors; and 



50 9. The system of claim 6, 7 or 8 further comprising 

a processor for computing one of a plurality of 
functions of said sensed data, and 

55 means for storing said sensed data and values 

of said functions of said sensed data in the stor- 
age device. 



5 



EP1 020 813 A2 




6 



EP 1 020 813 A2 




CO 



